forked from extern/shorewall_code
Add UPnP support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2031 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1180175379
commit
c5949a0119
@ -12,6 +12,10 @@
|
|||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
# allowInvalid #Accept packets that are in the INVALID
|
# allowInvalid #Accept packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
|
# allowoutUPnP #Allow traffic from local command 'upnpd'
|
||||||
|
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
|
||||||
|
# forwardUPnP #Allow traffic that upnpd has redirected from
|
||||||
|
# #'upnp' interfaces.
|
||||||
#
|
#
|
||||||
#ACTION
|
#ACTION
|
||||||
|
|
||||||
|
@ -1,3 +1,7 @@
|
|||||||
|
Changes in 2.2.4
|
||||||
|
|
||||||
|
1) Added support for UPnP
|
||||||
|
|
||||||
Changes in 2.2.3
|
Changes in 2.2.3
|
||||||
|
|
||||||
1) Added the 'continue' extension script.
|
1) Added the 'continue' extension script.
|
||||||
|
@ -937,7 +937,7 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
|
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||||
;;
|
;;
|
||||||
detectnets)
|
detectnets)
|
||||||
[ -n "$wildcard" ] && \
|
[ -n "$wildcard" ] && \
|
||||||
@ -3473,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
|||||||
#
|
#
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
|
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||||
|
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
|
|
||||||
strip_file actions
|
strip_file actions
|
||||||
@ -3544,6 +3545,15 @@ process_actions1() {
|
|||||||
|
|
||||||
process_actions2() {
|
process_actions2() {
|
||||||
|
|
||||||
|
local interfaces="$(find_interfaces_by_option upnp)"
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||||
|
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
|
||||||
|
USEDACTIONS="$USEDACTIONS forwardUPnP"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
progress_message " Generating Transitive Closure of Used-action List..."
|
progress_message " Generating Transitive Closure of Used-action List..."
|
||||||
|
|
||||||
changed=Yes
|
changed=Yes
|
||||||
@ -3695,6 +3705,26 @@ process_actions3() {
|
|||||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
forwardUPnP)
|
||||||
|
;;
|
||||||
|
allowinUPnP)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
if [ -n "$xlevel" ]; then
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
|
||||||
|
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
allowoutUPnP)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
[ -n "$xlevel" ] && \
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||||
|
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
#
|
#
|
||||||
# Not a builtin
|
# Not a builtin
|
||||||
@ -6290,6 +6320,20 @@ add_common_rules() {
|
|||||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
#
|
||||||
|
# UPnP
|
||||||
|
#
|
||||||
|
interfaces=$(find_interfaces_by_option upnp)
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
echo "Setting up UPnP..."
|
||||||
|
|
||||||
|
createnatchain UPnP
|
||||||
|
|
||||||
|
for interface in $interfaces; do
|
||||||
|
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
setup_forwarding
|
setup_forwarding
|
||||||
}
|
}
|
||||||
@ -6387,7 +6431,9 @@ activate_rules()
|
|||||||
# are inserted before jumps to one-to-one NAT chains.
|
# are inserted before jumps to one-to-one NAT chains.
|
||||||
#
|
#
|
||||||
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||||
{
|
{ interfaces=$(find_interfaces_by_option upnp)
|
||||||
|
|
||||||
|
|
||||||
local sourcechain=$1 destchain=$2
|
local sourcechain=$1 destchain=$2
|
||||||
shift
|
shift
|
||||||
shift
|
shift
|
||||||
@ -6402,7 +6448,7 @@ activate_rules()
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add jumps to early SNAT chains
|
# Add jumps to early SNAT chains
|
||||||
#
|
#
|
||||||
@ -6697,6 +6743,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
echo "Initializing..."; initialize_netfilter
|
echo "Initializing..."; initialize_netfilter
|
||||||
echo "Configuring Proxy ARP"; setup_proxy_arp
|
echo "Configuring Proxy ARP"; setup_proxy_arp
|
||||||
|
|
||||||
echo "Setting up NAT..."; setup_nat
|
echo "Setting up NAT..."; setup_nat
|
||||||
echo "Setting up NETMAP..."; setup_netmap
|
echo "Setting up NETMAP..."; setup_netmap
|
||||||
echo "Adding Common Rules"; add_common_rules
|
echo "Adding Common Rules"; add_common_rules
|
||||||
|
@ -167,6 +167,8 @@
|
|||||||
# detectnets - Automatically taylors the zone named
|
# detectnets - Automatically taylors the zone named
|
||||||
# in the ZONE column to include only those
|
# in the ZONE column to include only those
|
||||||
# hosts routed through the interface.
|
# hosts routed through the interface.
|
||||||
|
# upnp - Incoming requests from this interface may
|
||||||
|
# be remapped via UPNP (upnpd).
|
||||||
#
|
#
|
||||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||||
# INTERNET INTERFACE.
|
# INTERNET INTERFACE.
|
||||||
|
@ -1,4 +1,67 @@
|
|||||||
Shorewall 2.2.3
|
Shorewall 2.2.4
|
||||||
|
|
||||||
|
-----------------------------------------------------------------------
|
||||||
|
Problems corrected in version 2.2.4
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
-----------------------------------------------------------------------
|
||||||
|
New Features in version 2.2.4
|
||||||
|
|
||||||
|
1) Support has been added for UPnP using linux-igd
|
||||||
|
(http://linux-idg.sourceforge.net). UPnP is required by a number of
|
||||||
|
popular applications including MSN IM.
|
||||||
|
|
||||||
|
WARNING: From a security architecture viewpoint, UPnP is a
|
||||||
|
disaster. It assumes that:
|
||||||
|
|
||||||
|
a) All local systems and their users are complete
|
||||||
|
trustworthy.
|
||||||
|
|
||||||
|
b) No local system is infected with any worm or trojan.
|
||||||
|
|
||||||
|
If either of these assumptions are not true then UPnP can
|
||||||
|
be used to totally defeat you firewall and to allow
|
||||||
|
incoming connections to arbitrary local systems on any port
|
||||||
|
whatsoever.
|
||||||
|
|
||||||
|
In short: USE UPnP AT YOUR OWN RISK.
|
||||||
|
|
||||||
|
WARNING: Building and installing linux-igd is not for the faint of
|
||||||
|
heart. You must download the source from the CVS and be
|
||||||
|
prepared to do quite a bit of fiddling with the include
|
||||||
|
files from libupnp (which is required to build and/or run
|
||||||
|
linux-igd).
|
||||||
|
|
||||||
|
linux-idg Configuration:
|
||||||
|
|
||||||
|
In /etc/upnpd.conf, you will want:
|
||||||
|
|
||||||
|
insert_forward_rules = yes
|
||||||
|
prerouting_chain_name = UPnP
|
||||||
|
forward_chain_name = forwardUPnP
|
||||||
|
|
||||||
|
Shorewall Configuration:
|
||||||
|
|
||||||
|
In /etc/shorewall/interfaces, you need the 'upnp' option
|
||||||
|
on your external interface.
|
||||||
|
|
||||||
|
If your fw->loc policy is not ACCEPT then you need this
|
||||||
|
rule:
|
||||||
|
|
||||||
|
allowoutUPnP fw loc
|
||||||
|
|
||||||
|
If your loc->fw policy is not ACCEPT then you need this
|
||||||
|
rule:
|
||||||
|
|
||||||
|
allowinUPnP loc fw
|
||||||
|
|
||||||
|
You MUST have this rule:
|
||||||
|
|
||||||
|
forwardUPnP net loc
|
||||||
|
|
||||||
|
You must also ensure that you have a route to 224.0.0.0/4 on your
|
||||||
|
internal (local) interface.
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems corrected in version 2.2.3
|
Problems corrected in version 2.2.3
|
||||||
|
Loading…
Reference in New Issue
Block a user